CA/Browser

Internal Server Names and IP Address Requirements for SSL: Guidance on the Deprecation of Internal Server Names and Reserved IP Addresses provided by the CA/Browser Forum

June 2012, Version 1.0

Introduction Definitions For the purposes of certificate issuance pursuant to the BR On November 22, 2011, the CA/Browser Forum adopted 1.0, the following definitions are used: “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates, Version 1.0” (hereafter 1  : The label assigned to a node in referred to as the “BR 1.0”) to take effect on July 1, 2012 . the Domain Name System. As part of these requirements, Section 9.2.1 indicates:  Fully‐Qualified Domain Name (FQDN): A

Domain Name that includes the labels of all superior nodes in the Domain Name As of the Effective Date of these System. Requirements, prior to the issuance of  Internal Server Name: A Server Name (which a Certificate with a Subject Alternative may or may not include an Unregistered Name (SAN) extension or Subject Domain Name) that is not resolvable using the Common Name field containing a public DNS. Reserved IP Address or Internal Server  Reserved IP Address: An IPv4 or IPv6 address Name, the CA SHALL notify the that the IANA has marked as reserved: Applicant that the use of such http://www.iana.org/assignments/ipv4‐address‐ Certificates has been deprecated by space/‐address‐space.xml

the CA / Browser Forum and that the http://www.iana.org/assignments/ipv6‐address‐ practice will be eliminated by October space/‐address‐space.xml 2016. Background Also as of the Effective Date, the CA Certification Authorities enable the establishment of trust SHALL NOT issue a certificate with an on the Internet by issuing certificates that bind Expiry Date later than 1 November cryptographic public key material to verified identities. For 2015 with a SAN or Subject Common this document, we are concerned only with certificates Name field containing a Reserved IP that identify computers acting as servers offering one or Address or Internal Server Name. more of a variety of protocols (most commonly HTTP for Web traffic, but also SMTP, POP, IMAP, FTP, XMPP, RDP and others) over SSL/TLS. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose A server might be reachable by a variety of names and SAN or Subject Common Name field addresses. A server connected to the public Internet will contains a Reserved IP Address or typically have a name in the Internet Domain Name Internal Server Name. System (DNS) that allows its address to be resolved by any other system on the Internet. An example Domain Name would be “server123.cabforum.org”. Such a system will have a publicly routable IP address, either or This document explains this change and the reasons both IPv4 or IPv6. behind it, and suggests alternatives for affected 1 subscribers. http://www.cabforum.org

CA/Browser Forum 2012 – Page 1 Guidance on the Deprecation of Internal Server Names

Servers might have additional names and addresses which additional cost of provisioning a new trust root to clients. are only valid in the context of a local network instead of This may be especially desirable for networks lacking across the entire Internet. These might include names centralized policy deployment and management tools, resolvable through NetBIOS, Link‐Local Multicast Name such as “Bring Your Own Device” environments. Resolution (e.g. on a Windows PC), multicast DNS (e.g. Unfortunately, even these “legitimate” deployments through Apple’s Bonjour protocol), or other protocols. come with hidden dangers, and such certificates are Continuing our example above, the same server might also frequently misused. A survey by the EFF’s SSL Observatory be reachable to other computers on its local network by in 2011 found over 37,000 certificates with unqualified 2 the names “www” or “www.local”. names on servers facing the public Internet.

Local names might resolve to a publicly routable IP address, or they might resolve to addresses that are only Dangers of Publicly Trusted Certificates valid on a local network. The “192.168.*.*” IP address for Non‐Unique Identifiers space used by many home Internet Gateway Devices is Consider a corporation that has deployed an internal perhaps the best known set of mail system at the address “://mail/”. The system addresses, but there are many ranges of IPv4 and IPv6 is not reachable from the public Internet – only on the address space reserved for private or other usages. local corporate network or over the VPN. Is such a system secure? The key distinction between the two types of names and addresses is uniqueness. A fully qualified domain name If certificates for the name “mail” are available from like “www.cabforum.org” represents a unique and publicly trusted Certification Authorities, it cannot be. The distinct identity on the Internet (even if multiple servers name mail is not unique, so anyone can potentially obtain respond to that name, the control of that name belongs a certificate that validates for “https://mail/”. If an to a single entity). In contrast, at any given time, there attacker brings such a certificate into the corporate may be thousands of systems on public and private network, it can be used in combination with local name networks that could respond to the unqualified name spoofing to perfectly impersonate the real corporate mail “www”. Only one logical host on the Internet has the IP server and steal users’ credentials and other confidential address “97.74.42.11”, while there are tens of thousands information. The attacker might not even need to be on of home Internet gateways that have the address the corporate network to mount a successful attack. If a “192.168.0.1”. user connects their corporate laptop to a public WiFi network, the mail client might automatically attempt to The purpose of certificates issued by publicly trusted connect to “https://mail/” before a VPN connection is Certification Authorities is to provide trust in names established. If an attacker has anticipated this, again, a across the scope of the entire Internet. Non‐unique perfect impersonation can be made and the user’s names, by their very nature, cannot be attested to credentials stolen. outside their local context, and such certificates can be dangerously misused, so, as of the effective date of the 2 BR 1.0, issuance of certificates for non‐unique names https://www.eff.org/deeplinks/2011/04/unqualified‐ and addresses, such as “www”, “www.local”, or names‐ssl‐observatory “192.168.0.1” is deprecated.

Current Usage of Deprecated Certificates As a convenience for users, many servers in corporate networks are reachable by local names such as “mail”, “wiki” or “hr”. Most publicly trusted certificates for non‐unique names are deployed in the context of local networks to enable trust in these local names without the

CA/Browser Forum 2012 – Page 2 Guidance on the Deprecation of Internal Server Names

In thinking about this attack, it is important to note that Recommended Alternatives it does not depend on whether the corporation deploying the mail server purchased the certificate for Use a fully‐qualified domain name certificate and DNS “https://mail/” from a publicly‐trusted CA, or issued it domain suffix search. from a private, enterprise‐scope CA. If the certificate Many sites reachable with an unqualified name may still used by an attacker chains to a CA in the browser or be reachable and properly identified by FQDN because operating system trust store, it will be accepted by all DNS client software uses a process called suffix search, in clients ‐creating a vulnerability even for users of private which it appends configured suffixes to complete PKIs. unqualified names. This typically happens automatically for the domain a system is part of. So, for example, a The dangers these certificates pose extend even to system named “client.example.com” will use systems that use certificates with fully qualified domain “example.com” as a search suffix. When attempting to names, because the unqualified names may still be valid in resolve the name ”server”, it will automatically try other authentication contexts. In Microsoft Windows “server.example.com” in its DNS search. For more Active Directory environments, Integrated Windows information on configuring the DNS suffix search list on Authentication (IWA) over HTTP is a common method of Microsoft Windows, including for disjoint namespaces, authenticating to web servers in the corporate intranet. see: http://technet.microsoft.com/en‐ IWA uses the host name of a server to look up a target us/library/bb847901.aspx. identity in Active Directory and send appropriate credentials – but systems in Active Directory are always Since searches with DNS suffix completion are typically registered under both their short, NetBIOS name, and the attempted after local resolution fails, it may help to fully qualified domain name. This means that an attacker disable legacy NetBIOS name resolution on the client and presenting a certificate for “mail” can cause Internet turn off WINS name servers to force the use of DNS for Explorer to emit credentials that are valid for name resolution. NetBIOS can be disabled using DHCP as “mail.corporate.example.com” – and do so silently and detailed in the following KB article: automatically, because unqualified host names are http://support.microsoft.com/kb/313314. heuristically placed in the Local Intranet Zone. Modern Microsoft Windows networks can run exclusively If cryptographic channel binding technologies such as using DNS name resolution, but you must do careful 3 Extended Protection for Authentication are not testing before you turn off NetBIOS over TCP/IP in any configured, this can allow an attacker with an production environment. Programs and services that unqualified name certificate to easily gain access to depend on NetBIOS no longer work after you turn off intranet resources with the full privileges of any user on NetBT services, so it is important that you verify that your the same network – even if those resources correctly clients and programs no longer require NetBIOS support employ only fully‐qualified certificates. before you turn it off. Computers prior to , such as Windows NT and Windows 95 will not be able to Because non‐unique names cannot be meaningfully function in a network with NetBIOS disabled. validated in the context of the public Internet, and If you are using Outlook 2007 with Autodiscovery, see the because of the potential for malicious misuse of such FAQ for more information on using FQDNs instead of certificates, the CA/Browser Forum has decided to cease NetBIOS names to identify your Exchange Servers. issuing them after a grace period to allow affected users to transition away from them. 3 http://support.microsoft.com/kb/968389

CA/Browser Forum 2012 – Page 3 Guidance on the Deprecation of Internal Server Names

Use an enterprise/private CA to issue and trust Use IPSec certificates for non‐unique names In some cases, certificates with non‐unique names are The correct way to issue certificates for local names is to used to help meet regulatory or audit requirements for use a local . This can be done network traffic containing sensitive data to always be 4 manually, using free tools such as OpenSSL (many online encrypted. Unfortunately, while encryption without strong 5 6 tutorials are available), EJBCA , CACert or others. On a authentication (which publicly trusted, unqualified Microsoft Windows Active Directory Network, a Windows certificates cannot provide) may earn a checkbox from a Server can be configured in the Active Directory Certificate naïve auditor, it provides no real protection against the Services role to act as an enterprise CA, and the Active threats these requirements are ultimately meant to Directory Group Policy mechanisms can be used to defend against. In many cases IPSec may be a better automatically provision the certificate to domain joined option than SSL/TLS for meeting these requirements. IPSec clients and even automatically enroll servers for protects all traffic between associated hosts and is 7 application‐independent. Network management software certificates. such as Microsoft Windows Active Directory may provide If you do not want to create and manage your own tools to automate the provisioning of IPSec Security enterprise PKI, your current CA vendor may be able to Associations, or trust can be provisioned manually using provide you with a managed private PKI, issuing new self‐signed certificates or pre‐shared keys. Contact your certificates for you, managing the issuance infrastructure operating system vendor for more information on using and assisting you in configuring client systems to trust IPSec. the new private CA.

Manually provision trust in self‐signed certificates For smaller, unmanaged networks, self‐signed certificates can be trusted directly. Many server software packages include tools or the option to generate a self‐signed certificate which can be added 4 to the trust store as one would a CA cert, discussed http://www.openssl.org/ above. 5 http://www.ejbca.org/

Some applications, most commonly federation products 6 such as Microsoft ADFS and other SAML‐based Single Sign http://www.cacert.org/ 7 On solutions, always use directly provisioned trust, and do http://technet.microsoft.com/en‐ not require a certificate that chains to a trusted root to us/library/cc772393(v=ws.10).aspx operate correctly. 8 http://msdn.microsoft.com/en‐us/library/ms731899.aspx Many Web Services also have the ability to verify certificates using “peer trust”, where certificates can be explicitly trusted by placing them in a special store or directly in the service configuration (as opposed to “chain trust”, where certificates must chain up to a standard trusted root). More information about using peer trust for 8 web services on Windows can be found on MSDN.

CA/Browser Forum 2012 – Page 4 Guidance on the Deprecation of Internal Server Names

FAQ: These certificates are only on my internal network We are using Microsoft Active Directory Federation / only used for encrypting data in transit. What’s Services (ADFS) and it requires a certificate from a the danger? trusted root CA. If there is really no danger on a network, why use SSL/TLS? ADFS uses several certificates in its operations. Token The reality is that few networks are truly safe, and if it is Signing and Token Decrypting certificates are used to necessary to deploy SSL/TLS, it is necessary to deploy a establish the base trust relationship of a federation. certificate that meaningfully identifies the host and is not These certificates are always explicitly trusted by the two easily impersonated by an attacker – otherwise the ADFS servers, and managed with the ADFS snap‐in. encryption is meaningless. Even if you are willing to accept Because of this, they do not need to be issued by a the risk of these certificates for your configuration, the risk trusted CA or provisioned to any client machines. they present to the broader ecosystem means their issuance must be discontinued. The other type of certificate used is the Service Communication Certificate. This is the same certificate We only use these certificates on test servers to avoid used for IIS to secure SSL communications with a client. browser warnings. Web servers that are ADFS‐enabled, such as SharePoint, also need certificates trusted by all clients to enable Even if your usage doesn’t depend on the security of HTTPS. Because ADFS is used to enable cross‐ these certificates, their existence poses a danger to organizational trust, often across the Internet, it is very many other systems, so they are being deprecated. Use important that the Service Communication Certificate a private CA or explicitly trusted certificates, as and HTTPS certificates for ADFS‐enabled web servers described above, to enable test scenarios. Contact your always use fully‐qualified domain names and certificates CA vendor for information on managed private CA issued for the same. Use of a publicly‐issued, unqualified services. certificate allows these servers to be easily impersonated by anyone else with a certificate for the same name, We use the .local domain for our internal network. possibly resulting in unauthorized access. DNS suffix completion will not be appropriate for this configuration, but you can still use a private CA to issue For additional information, see: certificates for names ending in .local. Contact your CA http://technet.microsoft.com/enus/library/dd807040(v=ws.10).a vendor for information on managed private CA services. spx

I get certificate errors with Microsoft Exchange and Outlook 2007 Autodiscovery when I use an FQDN certificate. By default, the registered endpoint URIs for Exchange Autodiscovery use the server’s NetBIOS name, not its FQDN. The following KB article describes how to update that configuration to use the server’s full DNS name: http://support.microsoft.com/kb/940726

CA/Browser Forum 2012 – Page 5 Guidance on the Deprecation of Internal Server Names